-
-
Notifications
You must be signed in to change notification settings - Fork 14
128 lines (114 loc) · 4.06 KB
/
_meta-build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
on:
workflow_call:
inputs:
app-version:
type: string
required: false
default: "snapshot"
description: "the version that should be set/used as tag for the container image"
publish-container:
type: boolean
required: false
default: false
description: "publish and scan the container image once its built"
secrets:
registry-0-usr:
required: true
registry-0-psw:
required: true
jobs:
build-java:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/[email protected]
- name: Set up JDK
uses: actions/[email protected]
with:
distribution: 'temurin'
java-version: '17'
cache: 'maven'
- name: Setup CycloneDX CLI
run: |
mkdir -p "$HOME/.local/bin"
echo "$HOME/.local/bin" >> $GITHUB_PATH
wget -O "$HOME/.local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64
echo "ef0d3b31d176e02bc594f83e19cfcea053c6bc5b197351f71696e189390f851d $HOME/.local/bin/cyclonedx" | sha256sum -c
chmod +x "$HOME/.local/bin/cyclonedx"
- name: Build with Maven
run: |-
mvn clean
mvn package -Dmaven.test.skip=true -P enhance -P embedded-jetty -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
mvn clean -P clean-exclude-wars
mvn cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
- name: Upload Artifacts
uses: actions/[email protected]
with:
name: assembled-wars
path: |-
target/*.jar
target/bom.json
build-container:
runs-on: ubuntu-latest
needs:
- build-java
steps:
- name: Checkout Repository
uses: actions/[email protected]
- name: Download Artifacts
uses: actions/[email protected]
with:
name: assembled-wars
path: target
- name: Set up QEMU
uses: docker/[email protected]
- name: Set up Docker Buildx
uses: docker/[email protected]
id: buildx
with:
install: true
- name: Login to GitHub Container Registry
uses: docker/[email protected]
if: ${{ inputs.publish-container }}
with:
registry: ghcr.io
username: ${{ secrets.registry-0-usr }}
password: ${{ secrets.registry-0-psw }}
- name: Set Container Tags
id: tags
run: |-
TAGS="ghcr.io/dependencytrack/hyades-apiserver:${{ inputs.app-version }}"
if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
TAGS="${TAGS},ghcr.io/dependencytrack/hyades-apiserver:latest"
fi
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
- name: Build multi-arch Container Image
uses: docker/[email protected]
with:
tags: ${{ steps.tags.outputs.tags }}
build-args: |-
APP_VERSION=${{ inputs.app-version }}
COMMIT_SHA=${{ github.sha }}
WAR_FILENAME=dependency-track-apiserver.jar
platforms: linux/amd64,linux/arm64
push: ${{ inputs.publish-container }}
context: .
file: src/main/docker/Dockerfile
- name: Run Trivy Vulnerability Scanner
if: ${{ inputs.publish-container }}
<<<<<<< HEAD
uses: aquasecurity/[email protected]
=======
uses: aquasecurity/[email protected]
>>>>>>> a7020826dd7b28165d5dab2b74a966ffceaf927a
with:
image-ref: ghcr.io/dependencytrack/hyades-apiserver:${{ inputs.app-version }}
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
vuln-type: 'os'
- name: Upload Trivy Scan Results to GitHub Security Tab
if: ${{ inputs.publish-container }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'